RTF malware analysis — malicious · 9966f78ffb6bee7a

MALICIOUS

RTF

77.6 KB First seen: 2024-07-24

MD5: d3e7b271f897a4cf728e20f4002c0bc2 SHA-1: cdce02089c91345c8ea918daaccd589ab2ba15e9 SHA-256: 9966f78ffb6bee7a8981e3be18c42f2ef708a56b80e5adda68708bbc7023957d

160 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains multiple indicators of exploiting Microsoft Equation Editor, including OLE object data and specific RTF heuristics related to Equation Editor vulnerabilities. The presence of ".bin" file with "rtf-objdata-decoded" suggests an embedded object that is likely the initial stage of a multi-stage attack. The heuristics strongly indicate a known exploit vector targeting Equation Editor.

Heuristics 4

Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000201a.bin` `6ee05f946d38a960f57d53f750fbe43d71c5e4e2afda1b84576d87ff84b9db3c`	rtf-objdata-decoded	RTF \objdata at offset 0x201A	1563 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.